<!DOCTYPE html>
<html>
<head>
    <!-- Only allow same-origin frames, and frames from https://{{hosts[][www1]}}:{{ports[https][0]}} -->
    <meta http-equiv="Content-Security-Policy" content="frame-src 'self' https://{{hosts[][www1]}}:{{ports[https][0]}};">
    <title>frame-src-cross-origin-load</title>
    <script src="/resources/testharness.js"></script>
    <script src="/resources/testharnessreport.js"></script>
</head>
<body>
    <p>
        IFrames blocked by CSP should generate a 'load', not 'error' event, regardless of blocked
        state. This means they appear to be normal cross-origin loads, thereby not leaking URL
        information directly to JS.
    </p>
    <script>
      promise_test(async t => {
        return new Promise((resolve, reject) => {
          let f = document.createElement('iframe');
          f.src = "../support/postmessage-pass.html";
          f.onload = resolve;
          f.onerror = reject;
          document.body.appendChild(f);
        }, "Same-origin allowed frame fires a `load` event.");
      });

      promise_test(async t => {
        return new Promise((resolve, reject) => {
          let f = document.createElement('iframe');
          f.src = "https://{{hosts[][www1]}}:{{ports[https][0]}}/content-security-policy/support/postmessage-pass.html";
          f.onload = resolve;
          f.onerror = reject;
          document.body.appendChild(f);
        }, "Cross-origin allowed frame fires a `load` event.");
      });

      promise_test(async t => {
        return new Promise((resolve, reject) => {
          let f = document.createElement('iframe');
          f.src = "https://{{hosts[alt][]}}:{{ports[https][0]}}/content-security-policy/support/postmessage-fail.html";
          f.onload = resolve;
          f.onerror = reject;
          document.body.appendChild(f);
        }, "Cross-origin blocked frame fires a `load` event.");
      });
    </script>
  </body>
</html>
